Ftp – ProFTPD/vsftpd readonly/readwrite access depending on connection source

ftpproftpd

Is there any possibility to configure ProFTPD that way:

User has read/write FTP access to his home directory

If User connects from inside LAN (e.g. 172.16.0.0) he should have full access (read/write) as usual

If User connects from outside (from internet, or any other network) he should have read only access.

Both cases User should have same login/password

Only one instance of ProFTPD should be active.
Instead ProFTPD we can use vsftpd, if it is neccesary.

Is there any ideas to do it?

Thanks!

Best Answer

Within the ProFTPD configuration, you can set up some ACLs based on the connection origin. Therefore, you just have to put a Limits directive on read/write commands and define the correct ACLs.

Cheers.

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

Be sure to include the (/.*)? at the end of the directory name.

I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly

Essentially, yes; since SELinux allows directories/files labeled with public_content_t to be shared between different services. However, further access control is in place through the use of sebooleans (or sebool, more precisely).

Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd is allowed to read files if the directory's file context (fcontext) is public_content_t. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t context, and removing your custom generated local policy.

For further information and details, please see the SELinux wiki pages.

Ftp – Understanding Permissions with ProFTPD (Especially Group Write)

According to the docs, you cannot set the SGID bit in the umask directive; it says: "Any arguments supplied must be an octal number, in the format 0xxx."

http://proftpd.org/docs/directives/linked/config_ref_Umask.html

As joschi alludes to, what you really want is "Umask 0002" - a umask is bitwise to the object, not an absolute CHMOD setting. You only need to specify it once (not "umask 0002 0002") as the first will apply to all.

Best Answer

Related Solutions

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

Ftp – Understanding Permissions with ProFTPD (Especially Group Write)

Related Topic